CVE-2022-4681
Published: 06 February 2023
Summary
CVE-2022-4681 is a critical-severity an unspecified weakness vulnerability in Wpwave Hide My Wp. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Hide My WP WordPress plugin before version 6.2.9 contains a SQL injection vulnerability. The issue stems from insufficient sanitization and escaping of a parameter passed to a SQL statement inside an AJAX action, allowing direct manipulation of database queries.
Unauthenticated attackers can reach the vulnerable AJAX endpoint over the network without any credentials or user interaction. Successful exploitation can yield full read, write, and delete access to the database, corresponding to the CVSS 9.8 rating that reflects high impact across confidentiality, integrity, and availability.
The issue is documented in the WPScan advisory linked in the references, which identifies the affected plugin versions and the specific injection vector.
EPSS remains flat at 0.0720 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52005
Vulnerability details
The Hide My WP WordPress plugin before 6.2.9 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.